Feature to track data about hardware wallets and installed applications has been discovered in Ledger Live
The device activates authentication when interacting with applications
28.12.2023 - 08:57
100
2 min
0
What’s new? Ledger Live software for Ledger hardware crypto wallets tracks data about users and applications installed on their devices, a developer under the nickname @rektbuildr reported on his page in X, based on the results of the program’s code research. According to him, Ledger Live activates authentication when interacting with applications installed on the wallet, which prevents anonymous use of the device.
What else is known? The developer said that device authentication is embedded in the listApps subroutine, and when you try to disable remote tracking, the program starts working incorrectly. Thus, Ledger captures every time the device is turned on and knows what applications are running on it.
“Hardware wallets should work 100% offline. No phoning back anything at all. It’s crazy that we have to be discussing this in 2023 but here we are,” @rektbuildr emphasized.
He also noted that Ledger recently implemented a private key recovery feature, parts of which are deposited with third parties, and wondered how the company can ensure that this data is protected from being read by unauthorized parties.
The developer emphasized that he does not want to spread panic (FUD), but also urged not to upgrade Ledger Live to a newer version if users are happy with the current one.
He also believes Ledger should allow experienced users to work with fully standalone devices by making the ability to use Ledger Live optional.
Earlier this month, hackers exploited the Ledger Connect Kit Javascript library to connect websites to Ledger’s hardware wallets. The company patched the vulnerability and assured that the attack did not affect the integrity of Ledger or Ledger Live hardware and only affected third-party decentralized applications (DApps) that used the library.
Ledger later reported that users lost $600 000 due to the blind signing mechanism vulnerability. The company pledged to reimburse the losses and replace the mechanism of interaction with DApps with a fully transparent one by June 2024.
Useful material?
Market
The commission had previously warned the developer of potential enforcement actions
Apr 29, 2024
Market
Funds can be seized by law enforcers due to links to illegal activity
Apr 26, 2024
Market
Tether Finance division will be responsible for the issuance and redemption of USDT stablecoins
Apr 18, 2024
Trends
The first project introduced on the platform will be BounceBit (BB)
Apr 18, 2024
Business
The rate exchange of the native ACH token reacted with a 10% increase
Apr 18, 2024
Market
Miners are hunting for the first block after halving as the value of the first satoshi could exceed $1 million
Apr 18, 2024